Date: Mon, 14 Feb 2000 00:15:07 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Matthew Jonkman <jonkman@bussert.com> Cc: cjclark@home.com, "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.org> Subject: Re: Routed and public IPs Message-ID: <20000214001507.F38809@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <003401bf76a6$fe198fc0$030a0a0a@jonkmangarage.com>; from jonkman@bussert.com on Sun, Feb 13, 2000 at 11:50:13PM -0500 References: <045f01bf75e3$32b03d20$030a0a0a@jonkmangarage.com> <Pine.BSF.4.05.10002130844170.28527-100000@buffnet11.buffnet.net> <20000213163442.F31722@cc942873-a.ewndsr1.nj.home.com> <053e01bf766e$9a8a53a0$030a0a0a@jonkmangarage.com> <20000213232001.B38809@cc942873-a.ewndsr1.nj.home.com> <003401bf76a6$fe198fc0$030a0a0a@jonkmangarage.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 13, 2000 at 11:50:13PM -0500, Matthew Jonkman wrote:
> I like the idea of having the firewall act as a bridge and a nat device. I
> had tried to implement this by aliasing the internal nic with a private and
> a valid public IP. I made the internal public IP'd machines use that public
> internal IP as their gateway but no luck. I believe the theory is correct
> from what you mentioned, just my implementation on the firewall must be
> lacking. Its running nat, routed, and is an OPEN firewall. Still no luck.
> The unregistered IP'd machines run as expected but I can't make the public
> IP'd machines visible outside.
>
> Can you help? Am I an idiot or something? This seems simple. Don;t answer
> that last question. I know the answer.
Well, if you want it to run as a bridge, first thing you need to do is
stp thinking about routing the public IPs all together. OK, if you
have a registered numbers, a.b.c.0/24, and the unregistered,
10.0.0.0/24 (it's shortest to write), this is how your IPs will end up
looking,
}
Internet }--[router]--[a.b.c.1:firewall:10.0.0.254]--+
} |
|
|
_________________........____________________|_____........
| | | |
[a.b.c.2:] [a.b.c.3:] ........ [10.0.0.1:] [10.0.0.2:] ........
[ hostA ] [ hostB ] ........ [ host1 ] [ host2 ] ........
Like this. The machines with registered IPs on the internal LAN will
actually require no new configuration, nor does the router. Since the
firewall bridges, the router is still their gateway.
On the other hand, the firewall does NAT for the unregistered
machines. Their gateway will be the inside interface of the firewall
(which only has an unregistered IP associated with it).
In order to do this, you must enable bridging and bridge-with-firewall
in your kernel config (see bridge(4)). Of course, you need a bunch of
IPFIREWALL options in there for ipfw(4,8) and natd(8) too. You'll need
to turn on bridging during the startup (which does not have any
rc.conf options IIRC). And you will need to enable natd and have
firewall rules in place.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000214001507.F38809>